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CLAIMS 

What is claimed is: 



1 1 . A method for facilitating Internet security protocol (IPsec) based communications 

2 through a device that employs address translation in a telecommunications network, 

3 the method comprising the steps of: 

4 receiving a first electronic message from a first node, wherein the first electronic 

5 message is based on IPsec and is associated with a first identifier; 

6 generating a value based on the first identifier; 

7 sending the first electronic message to a second node; 

8 receiving a second electronic message from the second node, wherein the second 

9 electronic message is based on IPsec and is associated with a second identifier 

10 that is different than the first identifier, wherein the second identifier is 

1 1 generated based on the first identifier; 

12 determining whether the second electronic message is directed to the first node based 

13 on the value and the second identifier; and 

14 sending the second electronic message to the first node when the second electronic 

1 5 message is determined to be directed to the first node. 

12. A method as recited in claim 1, further comprising the steps of: 

2 receiving a third electronic message from a third node, wherein the third electronic 

3 message is based on IPsec and is associated with a third identifier; 

4 generating an additional value based on the third identifier; 

5 sending the third electronic message to the second node; 

6 wherein the step of receiving comprises receiving, after sending the first electronic 

7 message and the third electronic message to the second node, the second 

8 electronic message from the second node, wherein the second electronic 

9 message is based on IPsec and is associated with the second identifier that is 

10 different than the first identifier and the third identifier; 

1 1 determining whether the second electronic message is directed to the third node based 

12 on the additional value and the second identifier; and 
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when the second electronic message is determined to be directed to the third node, 
sending the second electronic message to the third node. 

A method as recited in claim 1, wherein the step of generating the value comprises the 
step of generating the value based on the first identifier and a specified scheme, and 
wherein the second identifier is generated based on the first identifier and the 
specified scheme. 



output. 

A method as recited in claim 3, wherein the specified scheme is a hash algorithm. 

A method as recited in claim 5, wherein the hash algorithm is a Message Digest 5 
one-way hash function. 

A method as recited in claim 1, wherein the value is a hash value, and wherein the 
second identifier is the hash value. 

A method as recited in claim 1, wherein the value is a hash value, and wherein the 
second identifier is based at least in part on the hash value. 

A method as recited in claim 8, wherein the hash value is comprised of a first plurality 
of bytes, wherein the second identifier is comprised of a second plurality of bytes, and 
wherein a last pair of bytes of the second plurality of bytes is a first pair of bytes of 
the first plurality of bytes, and wherein the step of determining whether the second 
electronic message is directed to the first node comprises the step of comparing the 
last pair of bytes of the second identifier to the first pair of bytes of the hash value. 

A method as recited in claim 1, wherein the first identifier is a first IPsec security 
parameter index and the second identifier is a second IPsec security parameter index. 

A method as recited in claim 1, wherein the first electronic message is based on IPsec 
tunnel mode and the second electronic message is based on IPsec tunnel mode. 
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112. A method as recited in claim 1 , wherein the first electronic message is based on IPsec 

2 Encapsulation Security Payload (ESP) and the second electronic message is based on 

3 IPsec ESP. 



1 



1 



13. A method as recited in claim 1, wherein the first node is an IPsec originator node and 



2 the second node is an IPsec responder node. 



14. A method as recited in claim 1, further comprising the steps of creating and storing a 
2 mapping between the value and the first identifier. 

1 15. A method as recited in claim 14, wherein the step of creating and storing comprises 

2 the steps of: 

3 creating an association between the value and the first identifier; and 

4 storing the association in a translation table. 

1 16. A method as recited in claim 1 , further comprising the steps of: 

2 when the second electronic message is determined to be directed to the first node, 

3 creating an association between the first identifier and the second identifier; 



04 and 



5 storing the association in a table. 

1 17. A method as recited in claim 16, further comprising the steps of: 

2 receiving a third electronic message from the second node, wherein the third 

3 electronic message is based on IPsec and is associated with the second 

4 identifier; and 

5 determining that the third electronic message is directed to the first node based on the 

6 association. 

1 18. A method as recited in claim 1 , further comprising the steps of: 

2 receiving a third electronic from the second node, wherein the third electronic 

3 message is based on IPsec and is associated with a third identifier that is 

4 different than both the first identifier and the second identifier; 
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determining whether the third electronic message is directed to the first node based on 


6 




the value and the third identifier; and 


7 




when the third electronic message is determined to be directed to the first node, 


8 




sending the third electronic message to the first node. 


1 


19. 


A method as recited in claim 1, wherein the step of generating the value is performed 


2 




before the sten of receiving the second electronic message 


1 


20. 


A method as recited in claim 1, wherein the step of generating the value is performed 


2 




after the step of receiving the second electronic message. 


1 


21. 


A method as recited in claim 1 wherein the device emn1nv<i network arlrlrpcQ 


%A 2 




translation (NAT). 
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A method as recited in claim 1 wherein the device etnnlnvs dvnamir aHHre^Q 1STAT 


A 1 
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A method as recited in claim 1, wherein the device employs network address port 
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translation (NAPT). 
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24. 


A method for facilitating Internet security protocol (IPsec) based communications 
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through a device that employs address translation in a telecommunications network, 
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the method comprising the steps of: 


Twijf A 
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receiving a first electronic message from a first node, wherein the first electronic 


c 
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message is based on IPsec and is associated with a first identifier, wherein the 


6 




first identifier is generated based on a second identifier and the first identifier 


7 




is different than the second identifier; 


o 
0 




sending the first electronic message to a second node; 


Q 




receiving a second electronic message from the second node, wherein the second 


10 




electronic message is based on IPsec and is associated with the second 


11 




identifier; 


12 




generating a value based on the second identifier; 


13 




determining whether the second electronic message is directed to the first node based 


14 




on the value and the first identifier; and 
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15 sending the second electronic message to the first node when the second electronic 

16 message is determined to be directed to the first node. 

17 25. A method for facilitating Internet security protocol (IPsec) based communications 

18 with a device that employs address translation in a telecommunications network, the 

19 method comprising the steps of: 

20 generating a value based on a first identifier that is associated with a first node; 

21 generating a second identifier based on the value; 

22 receiving, from the device that employs address translation, a first electronic message 

23 that originates from the first node, wherein the first electronic message is 

24 based on IPsec and is associated with the first identifier; 

25 in response to receiving the first electronic message, generating a second electronic 
Q 26 message to the first node, wherein the second electronic message is based on 
:S 27 IPsec and is associated with the second identifier; 

III 28 sending the second electronic message to the device that employs address translation; 

vj 29 wherein the device determines whether the second electronic message is directed to 
W 30 the first node based on the second identifier and an additional value based on 

□ 31 the first identifier; and 

f; 32 wherein the device sends the second electronic message to the first node when the 
N 33 device determines that the second electronic message is directed to the first 

l5l 34 node. 

1 26. A method as recited in claim 25, wherein the step of generating the second identifier 

2 comprises the step of generating the second identifier based on the value and a third 

3 identifier. 

1 27. A method as recited in claim 25, wherein the step of generating the value comprises 

2 the step of generating the value based on the first identifier and a specified scheme. 
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28. A method as recited in claim 27, wherein the value is a hash value, the first identifier 
is a first IPsec Security Parameter Index (SPI), the second identifier is a second IPsec 
SPI, and the step of generating the second IPsec SPI comprises the step of generating, 
prior to receiving the first electronic message, the second IPsec SPI based on the hash 
value. 

29. A method as recited in claim 28, wherein the first IPsec SPI is a first randomly 
generated fixed length value and the step of generating the second IPsec SPI 
comprises the step of generating the second IPsec SPI based on at least a first portion 
of the hash value and a second portion of a second randomly generated fixed length 
value. 

30. A method for facilitating Internet security protocol (IPsec) based communications 
through a router that employs network address translation in a telecommunications 
network, the method comprising the steps of: 

receiving a first electronic message from a first IPsec originator node, wherein the 

first electronic message is secured using IPsec and is associated with a first 

security parameter index (SPI); 
generating a first hash value based on the first SPI and a hash algorithm; 
sending the first electronic message to an IPsec responder node; 
receiving a second electronic message from a second IPsec originator node, wherein 

the second electronic message is secured using IPsec and is associated with a 

second SPI; 

generating a second hash value based on the second SPI and the hash algorithm; 

sending the second electronic message to the IPsec responder node; 

after sending the first electronic message and the second electronic message to the 
IPsec responder node, receiving a third electronic message from the IPsec 
responder node, wherein the third electronic message is secured using IPsec 
and is associated with a third SPI that is different than the first SPI and the 
second SPI, wherein the third SPI is generated by the IPsec responder node 
based at least in part on the hash algorithm; 
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determining whether the third electronic message is directed to the first IPsec 
originator node based on the first hash value and the third SPI; 

when the third electronic message is determined to be directed to the first IPsec 
originator node, sending the third electronic message to the first IPsec 
originator node; 

determining whether the third electronic message is directed to the second IPsec 
originator node based on the second hash value and the third SPI; and 

when the third electronic message is determined to be directed to the second IPsec 
originator node, sending the third electronic message to the second IPsec 
originator node. 

31. A method as recited in claim 30, wherein the first electronic message is based on 
IPsec tunnel mode and IPsec Encapsulating Security Payload (ESP), the second 
electronic message is based on IPsec tunnel mode and IPsec ESP, and the hash 
algorithm is a Message Digest 5 one-way hash function. 
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